1. Field of the Invention
The present invention relates to method and apparatus for allowing user-friendly access control setup for Universal Plug and Play networks.
2. Description of the Related Art
Universal Plug and Play networking technology defines an architecture for peer-to-peer network connectivity of intelligent appliances, such as, wireless devices, and personal computers. It is designed to bring easy-to-use, flexible, standards-based connectivity to ad-hoc or unmanaged public or private networks. It also provides a distributed, open networking architecture that leverages TCP/IP and Web technologies to enable seamless proximity networking, in addition to, control and data transfer among networked devices. Hence, Universal Plug and Play Device Architecture (UDA) is designed to support zero-configuration networking and automatic discovery of device categories from a wide range of vendors. UDA, thus, enables a device to dynamically join a network, obtain an IP address, convey its capabilities, and learn about the presence and capabilities of other devices.
Universal Plug and Play forum has specified standards for many kinds of services, for example, for audio/visual equipment, home automation, printing and Wide Area Network connectivity. Thus, standardised interfaces can be implemented by device manufacturers to allow their devices to be controlled and used by other devices. Universal Plug and Play security offers a way to achieve security for device authentication, command authorization and encrypted actions for Universal Plug and Play services. In theory, Universal Plug and Play security enables one to define device-specific access control. Specifically, Universal Plug and Play security defines a security console, where a device is used to “take ownership” of other devices. Once the security console has taken ownership of a device, it can define which devices are allowed to use the services provided by this device.
Although Universal Plug and Play security has been standardized, it has not been accepted by the industry. The main reason has been the complexity of the security standard and the fact that Universal Plug and Play networks are typically simple and, therefore, lack the need for this kind of complex security. Specifically, taking ownership of a device requires that a user reads a public key hash of a target device and compares the public key hash to a hash shown on a screen of the security console device. Reading and comparing full length hashes is very error-prone and inconvenient for the user. Although the Universal Plug and Play security standard allows the user to attach a USB cable between two devices to avoid requiring the user to read and compare full length hashes, this approach is also not user-friendly.
Wireless Fidelity (WiFi) devices which may be used in a Universal Plug and Play network are certified, by the WiFi Alliance, as interoperable with each other, even if they are from different manufacturers. Specifically, a WiFi Protected Setup protocol has been specified by the WiFi Alliance as an interoperability standard which describes how wireless Local Area Networks (LAN) can be set up and how new devices can be added to these networks in a secure and user-friendly fashion. The WiFi Protected Setup protocol includes an Application Extension Mechanism which enables bootstrapping of application-level shared secrets from link layer security keys that are securely distributed as a part of the WiFi Protected Setup.
In a “smart” home, there is typically a secured wireless network with many interconnected devices. Some of the devices provide services that other devices can use. By nature, some privileged services, such as controlling a home automation system or accessing personal documents, are private or confidential. Thus, the person controlling the home network should be able to define which devices (or more precisely, which “control point” devices) are allowed to access these privileged services. The operation of defining the access control rules for different devices and services should be as user-friendly as possible, since it will likely be performed by average consumers instead of network administration professionals.
However, there is currently no user-friendly solution for defining access control rules for a Universal Plug and Play network or any other type of home network. Although Universal Plug and Play security was designed for this, as noted previously, it has serious shortcomings. One inherent problem in a user-friendly access control setup is that security associations (either shared secrets, authenticated public keys or mutually trusted certificates) must be somehow established between the devices at hand. Since in a home environment there are no trusted authorities, the user has to do this bootstrapping of security associations. Typically, this means that the user has to either manually configure shared keys between devices or enter PIN codes to devices.
None of the current security standards allows a single action operation in which a new user is granted network access in addition to the set of needed access rights to the individual devices in the network. This makes for a clumsy and error-prone user experience where, for example, one PIN code is needed in order to provide the user with a WLAN key, another PIN code is needed for issuing the user with the rights associated with use of a particular Universal Plug and Play media server device and yet another PIN code needed to grant the user access to an automation device, such as a climate control device. Therefore, no current mechanism makes it possible for a device joining the network to be provided with all the needed security keys in one simple interaction.